Treasury group unveils guidance for financial sector on cloud adoption
The Treasury Department and an industry-led nonprofit on Wednesday released secure cloud adoption guidance for financial institutions, the culmination of a year-long effort that the agency’s deputy secretary called “critically important to our work on cybersecurity.”
The suite of resources released by Treasury and the Financial Services Sector Coordinating Council as part of the public-private Cloud Executive Steering Group is intended to address gaps called out in the department’s February 2023 report on the industry’s use of cloud services.
During a press briefing in Washington, D.C. to unveil the cloud guidance, Deputy Treasury Secretary Wally Adeyemo said the steering group’s work with cloud providers “is a demonstration that we have the ability to work beyond just the financial system.”
Treasury has grown “increasingly concerned” with cyber threat actors “looking to make money or state actors seeking to target our financial systems,” Adeyemo said. The steering group’s work with cloud providers on these resources “put us in a position where we can go provide information to financial institutions and also the regulators, but also work collaboratively with these institutions.”
The resources for financial institutions include a roadmap for comprehensive or hybrid cloud adoption, best practices for third-party risks tied to cloud service providers, an assessment of existing oversight authorities for cloud providers, and strengthened transparency and monitoring of cloud services for “security by design” practices.
Additionally, the Office of the Comptroller of the Currency led work on establishing “a common lexicon” for cloud discussions among regulators and financial institutions, while the Consumer Financial Protection Bureau guided resource production on information sharing and coordination.
Much of the guidance unveiled Wednesday was produced with small financial institutions in mind, regulators and Financial Services Sector Coordinating Council leaders said during the event. Todd Conklin, deputy assistant secretary for Treasury’s Office of Cybersecurity and Critical Infrastructure Protection and the department’s chief artificial intelligence officer, noted that some large banks interviewed as part of the steering group’s work had hundreds of cloud technologists on staff and were able to take a “judicious” approach to cloud adoption.
But the smallest financial institutions were often at the mercy of third-party vendors and “forced” into full-scale cloud adoption “before they were ready,” Conklin said.
“What we’re releasing today in this batch of work really is aimed at our smallest financial institutions who are 100% cloud and yet are really still struggling,” added Conklin, who previously warned of small banks’ limitations in using AI to ward off cyber threats.
CFPB Director Rohit Chopra echoed Conklin’s concerns about small financial institutions, particularly with regard to “bargaining leverage” that banks and credit unions of that size lack “to make sure their systems can be turned on quickly, just like the biggest names on Wall Street.”
Chopra also raised concerns about the current cloud market, which is dominated by a few major service providers tied to a handful of Big Tech companies. Chopra wondered aloud whether federal agencies should be “enhancing some of the regulations” covering top cloud providers, while also crediting the participating financial institutions in providing a roadmap to secure services.
“Just imagine what will happen to families and businesses in this economy if they cannot make payments, they cannot withdraw money, or they cannot do what they need to do in their daily lives,” he said. “We need to make sure that our cloud infrastructure is resilient, that it is always working, and that an outage does not create a massive financial crisis.”